Over 50K Tinyproxy Servers Under Threat from DoS, RCE Vulnerabilities
While Tinyproxy caters to small network environments like those in small businesses and public Wi-Fi providers, enterprises also employ it for testing or development purposes, rendering them vulnerable to exploitation. Although no active exploits have been reported, a recent Censys search indicates over 90,000 hosts exposing Tinyproxy services, with more than 57% potentially vulnerable. Among the networks with the highest concentration of Tinyproxy servers is AMAZON-02 from Amazon Web Services, aligning with the software’s usage among individual users and smaller entities.
Publicly Accessible Exploit: Is it Operational?
On May 1, Cisco Talos released a proof-of-concept exploit for the vulnerability, illustrating how a basic HTTP request can activate CVE-2023-49606. However, “rofl0r,” the maintainer of the Tinyproxy project, criticized Cisco Talos’ explanation of the flaw and its exploitation on GitHub, dismissing it as “uninformative” and failing to accurately depict the bug or its exploitation process.
In the GitHub post, the maintainer elaborates on the flaw, labeling it as “severe,” and provides a link to an update purported to address the vulnerability.
As of Wednesday, Cisco Talos has not responded to rofl0r’s rebuttal regarding its assessment of the flaw and its exploit
Analyzing the Tinyproxy Vulnerability
According to rofl0r’s GitHub post, the vulnerability resides in the code responsible for removing the “connection” and “proxy-connection” headers from the list of received headers in the src/reqs.c, remove_connection_headers() request in Tinyproxy.
The affected code, written in 2002 and never updated, initiates a sequence of events: extracting the value of either “connection” or “proxy-connection” from the key-value (KV) store, splitting it into pieces using various delimiters, and subsequently removing each piece from the KV store.
Explaining further, the maintainer stated, “The bug arises if one of these pieces matches ‘connection’ or ‘proxy-connection’ (case-insensitive) and matches the key used earlier to retrieve the value. This results in its deletion (freed) from the KV store, but the code continues to access the retrieved value pointer.”
The post asserts that the bug “definitely enables” a DoS attack on the server if it “uses musl libc 1.2+ – where the hardened memory allocator automatically detects UAF, or is compiled with an address sanitizer.” Furthermore, it “potentially allows” for RCE.
CVE-2023-49606: Analysis and Remediation
According to Cisco Talos, a simple unauthenticated HTTP request can trigger the vulnerability. However, rofl0r countered this claim, asserting that the code is activated only after access list checks and authentication have been completed.
This implies that if a Tinyproxy administrator employs basic authentication with a sufficiently secure password, they are shielded from exploitation. Moreover, if the proxy is solely accessible on a trusted private network, such as within a corporate setting, it remains immune to external attacks, as per rofl0r.
In addition to implementing the provided update from GitHub, Tinyproxy administrators can minimize the risk of compromise by ensuring that the Tinyproxy service is not exposed to the public Internet, especially if it is utilized in a development or testing environment, as advised by Cisco Talos.